Best way to find out what happened in a shared mailbox through the audit logs?

Iron Contributor

Hi everyone


I have a case where someone claims several mails between Jan 1st and Febr 27th were not received into a specific shared mailbox.


I checked message trace and there I can find all of them with a state of 'delivered to Inbox'. 


Now I know that doesn't automatically mean 'well someone must have deleted them' so I need to find out what exactly happened to those mails after getting to the Inbox.


The fact that it's a shared mailbox (with 8 people having access) means I will have to look at audit logs of all 8 people but for such a long period of time, I fear if I just look for deleted/purged items for all 8 users, I am going to get a huge file which will be very difficult to sifle through.


The subject of the missing mails is always the same but haven't found an 'ItemSubject' variable I can use on EXO....


Any tips on how to best tackle this and next steps if audit log does not provide answers?

2 Replies

Auditing isn't enabled by default for shared mailboxes, so you might not get any information from there. I'd suggest doing a mailbox search or eDiscovery content search for the missing messages (both of these accept a subject query).

Thanks Vasil. Mailbox search did the trick. They were effectively deleted but of course, nobody actually deleted them when you ask the people who have access to the shared mailbox :)